From bc8698b5dba7e38e6cee54c44c8675735b69f499 Mon Sep 17 00:00:00 2001 From: emelinda Date: Fri, 24 Apr 2026 17:21:56 +0300 Subject: [PATCH] Migrate `attachments` app to HelmRelease: replace Deployment and Service with HelmRelease and update kustomization configuration. --- apps/attachments/base/deployment.yaml | 70 -------------- apps/attachments/base/helmrelease.yaml | 111 +++++++++++++++++++++++ apps/attachments/base/kustomization.yaml | 3 +- apps/attachments/base/service.yaml | 14 --- 4 files changed, 112 insertions(+), 86 deletions(-) delete mode 100644 apps/attachments/base/deployment.yaml create mode 100644 apps/attachments/base/helmrelease.yaml delete mode 100644 apps/attachments/base/service.yaml diff --git a/apps/attachments/base/deployment.yaml b/apps/attachments/base/deployment.yaml deleted file mode 100644 index 817c6c7..0000000 --- a/apps/attachments/base/deployment.yaml +++ /dev/null @@ -1,70 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: attachments - namespace: attachments - labels: - app: attachments -spec: - replicas: 1 - selector: - matchLabels: - app: attachments - template: - metadata: - labels: - app: attachments - annotations: - traffic.sidecar.istio.io/excludeOutboundPorts: "8200" - vault.hashicorp.com/agent-init-first: "true" - vault.hashicorp.com/agent-inject: "true" - vault.hashicorp.com/agent-pre-populate-only: "true" - vault.hashicorp.com/auth-path: auth/kubernetes - vault.hashicorp.com/role: attachments - vault.hashicorp.com/agent-inject-secret-attachments-db: secrets/data/postgresql/apps/attachments - vault.hashicorp.com/agent-inject-template-attachments-db: |- - {{- with secret "secrets/data/postgresql/apps/attachments" -}} - DATABASE_HOST=postgresql.attachments.svc.cluster.local - DATABASE_PORT=5432 - DATABASE_NAME=attachments_db - DATABASE_USER={{ index .Data.data "username" }} - DATABASE_PASSWORD={{ index .Data.data "password" }} - DATABASE_SSL_MODE=disable - {{- end -}} - vault.hashicorp.com/agent-inject-secret-attachments-s3: secrets/data/minio/apps/attachments - vault.hashicorp.com/agent-inject-template-attachments-s3: |- - {{- with secret "secrets/data/minio/apps/attachments" -}} - YANDEX_S3_ENDPOINT_URL=minio.minio:9000 - YANDEX_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }} - YANDEX_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }} - YANDEX_S3_USE_SSL=false - YANDEX_S3_REGION=ru-central - YANDEX_S3_VERIFY=false - BUCKET_NAME=attachments - {{- end -}} - spec: - serviceAccountName: attachments-vault - containers: - - name: attachments - image: cr.yandex/crp3ccidau046kdj8g9q/attachments:feature_6238c882 - imagePullPolicy: IfNotPresent - command: ["/bin/bash", "-ec"] - args: - - | - set -a - [ -f /vault/secrets/attachments-db ] && . /vault/secrets/attachments-db - [ -f /vault/secrets/attachments-s3 ] && . /vault/secrets/attachments-s3 - set +a - exec /opt/attachments/entrypoint.sh - ports: - - name: http - containerPort: 8000 - protocol: TCP - env: - - name: POSTGRES_POOL_SIZE - value: "10" - - name: API_ADDRESS - value: 0.0.0.0:8000 - imagePullSecrets: - - name: regcred diff --git a/apps/attachments/base/helmrelease.yaml b/apps/attachments/base/helmrelease.yaml new file mode 100644 index 0000000..5294201 --- /dev/null +++ b/apps/attachments/base/helmrelease.yaml @@ -0,0 +1,111 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: attachments + namespace: attachments +spec: + interval: 10m + chart: + spec: + chart: universal-chart + version: "0.1.8" + sourceRef: + kind: HelmRepository + name: yc-oci-charts + namespace: flux-system + interval: 10m + install: + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 + values: + global: + env: _default + services: + attachments: + enabled: true + serviceAccount: + # Не создаём SA — используем существующий из base/serviceaccount.yaml. + name: + _default: attachments-vault + deployment: + enabled: true + name: + _default: attachments + replicaCount: + _default: 1 + port: + _default: 8000 + command: + _default: ["/bin/bash", "-ec"] + args: + _default: + - | + set -a + [ -f /vault/secrets/attachments-db ] && . /vault/secrets/attachments-db + [ -f /vault/secrets/attachments-s3 ] && . /vault/secrets/attachments-s3 + set +a + exec /opt/attachments/entrypoint.sh + image: + name: + _default: cr.yandex/crp3ccidau046kdj8g9q/attachments:feature_6238c882 + pullPolicy: + _default: IfNotPresent + service: + enabled: true + name: + _default: attachments-service + type: + _default: ClusterIP + port: + _default: 8000 + targetPort: + _default: 8000 + portName: + _default: http + imagePullSecrets: + enabled: + _default: true + name: + _default: regcred + envs: + - name: POSTGRES_POOL_SIZE + value: + _default: "10" + - name: API_ADDRESS + value: + _default: 0.0.0.0:8000 + podAnnotations: + _default: + # Порт Vault 8200 добавлен к дефолтным портам трейсинга — иначе + # чарт перезатрёт их одиночным "8200" и SigNoz перестанет ходить. + traffic.sidecar.istio.io/excludeOutboundPorts: "4317,4318,9411,8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: attachments + vault.hashicorp.com/agent-inject-secret-attachments-db: secrets/data/postgresql/apps/attachments + vault.hashicorp.com/agent-inject-template-attachments-db: |- + {{- with secret "secrets/data/postgresql/apps/attachments" -}} + DATABASE_HOST=postgresql.attachments.svc.cluster.local + DATABASE_PORT=5432 + DATABASE_NAME=attachments_db + DATABASE_USER={{ index .Data.data "username" }} + DATABASE_PASSWORD={{ index .Data.data "password" }} + DATABASE_SSL_MODE=disable + {{- end -}} + vault.hashicorp.com/agent-inject-secret-attachments-s3: secrets/data/minio/apps/attachments + vault.hashicorp.com/agent-inject-template-attachments-s3: |- + {{- with secret "secrets/data/minio/apps/attachments" -}} + YANDEX_S3_ENDPOINT_URL=minio.minio:9000 + YANDEX_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }} + YANDEX_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }} + YANDEX_S3_USE_SSL=false + YANDEX_S3_REGION=ru-central + YANDEX_S3_VERIFY=false + BUCKET_NAME=attachments + {{- end -}} diff --git a/apps/attachments/base/kustomization.yaml b/apps/attachments/base/kustomization.yaml index 2487bc6..119e803 100644 --- a/apps/attachments/base/kustomization.yaml +++ b/apps/attachments/base/kustomization.yaml @@ -5,5 +5,4 @@ namespace: attachments resources: - namespace.yaml - serviceaccount.yaml - - deployment.yaml - - service.yaml + - helmrelease.yaml diff --git a/apps/attachments/base/service.yaml b/apps/attachments/base/service.yaml deleted file mode 100644 index 90823b9..0000000 --- a/apps/attachments/base/service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: attachments-service - namespace: attachments -spec: - type: ClusterIP - selector: - app: attachments - ports: - - port: 8000 - targetPort: 8000 - protocol: TCP